Exploit software is released one month after the serious weakness came to light.

Security consultants have independently confirmed a serious security weakness that makes it trivial for hackers with physical control of many computers sold by Dell, Acer, and at least 14 other manufacturers to quickly recover Windows account passwords.

The vulnerability is contained in multiple versions of fingerprint-reading software known as UPEK Protector Suite. In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010. The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.

The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner's unique fingerprint, instead of a user-memorized password. Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. It takes only seconds for people with the key to extract a password, company officials said. They withheld technical details to prevent the vulnerability from being widely exploited.

Now, a pair of security consultants say they have independently verified the vulnerability and released open-source software that makes it easy to exploit it. Easily decrypted passwords are stored in one of several registry keys located in HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\, depending on the application version. The duo said they released the software and additional information so that penetration testers, who are paid to penetrate the defenses of their customers, can exploit the weakness.

"From a penetration testing perspective, local administrator access is required to obtain the necessary registry key's value, so it only matters if you already have control of the PC," Brandon Wilson, one of the security consultants, told Ars. "But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems."

When Protector Suite isn't activated, Windows doesn't store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic log in. Disabling Windows login functionality from within Protector Suite will not remove the password from the registry key, the penetration testers confirmed. If the "passport" for that user is deleted from within the application, the password is also deleted. When uninstalling the application, an option is presented to the user to also delete the passport data. If left, the password remains, and if removed, the password is deleted, Wilson said.

According to Wilson, every version of the software labeled "UPEK Protector Suite" that he and fellow penetration tester Adam Caudill have analyzed has tested positive for the vulnerability. In addition to Dell and Acer, other PC makers that preinstall the software include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba. UPEK Protector Suite is also rebranded by Lenovo as ThinkVantage Fingerprint Software, Wilson said.

Given the claims made in the UPEK software that it's a safe alternative to account logins, it's surprising there has been no recall or an advisory warning of the vulnerability. Representatives from Apple and Authentec didn't respond to an e-mail seeking comment for this brief.

Update October 11, 2012: As reported elsewhere on Wednesday night, Authentic issued a patch for UPEK Protector Suite in mid September. Adam Caudill, one of the penetration testers who independently confirmed the vulnerability, told Ars they were unaware of that release until Wednesday night. In an e-mail, he described the patch as a "band-aid" because under the new version, passwords are protected using encryption that's trivial to brute force. More details from the Threat Post blog are here. What's more, the patch has yet to be pushed out to many users, and Ars isn't aware of any advisories warning of the vulnerability or advising users to install the newer version.

Promoted Comments

The "owned by Apple" is a nice touch of link bait. Bet Ars gets 10x the hits for using the headline to imply some kind of conspiracy or negligence on Apple's part.

What do you want them to do, pretend Apple doesn't own the company or bury that information just to protect your sensibilities? Apple owns the company, end of story. And if any other major computer firm had owned it, I'm sure that would have been mentioned in the headline, too, because it happens to be the most salient fact about the chain of corporate command, which is something everybody wants to know when there is a major exploit.

Authentec owns the patents in the area, its implementation flaw is OS specific... that is windows in this case which they had much before Apple acquired them. it uses windows registry to store passwords insecurely... a fitting implementation for an inferior OS... Apple would take their patents and deliver a better implementation for OSX/IOS.. meanwhile windows will continue to languish with mediocre implementations of the same.

I honestly wasn't trying to troll anyone. It's a fact that Apple owns this software and that more than a month after this serious weakness came to light has yet to issue an advisory warning end users of it.

Especially since Google has fully completed the acquisition of Motorola.

However, when to-be-Apple-owned AuthenTec makes headlines the "Apple Owned" makes it into the headline. Apple has not even completed the acquisition of AuthenTec and are still waiting for regulatory approval which means that Apple has no current direct control over AuthenTec.

Maybe this is only because few people know who AuthenTec is, but many know the name Motorola, but it seems odd to reach out to Apple for comment.

You'd need a modification to domain authentication for anything like this idea to work. Something derived directly from the fingerprint should be sent directly to the server, which itself should determine if the fingerprint is correct. No key should be stored on the client, otherwise it's trivial to compromise it no matter how much encryption (really obfuscation) you do.

Usually physical access will not allow someone to find out what the login password is, which is an important distinction since that login password might also be used elsewhere to access things you do not have physical access to.

Also... isn't this the company Apple only purchased just recently and has informed all it's customers that they need to start looking for business elsewhere, because it's going to be shut down?

Usually physical access will not allow someone to find out what the login password is, which is an important distinction since that login password might also be used elsewhere to access things you do not have physical access to.

Also... isn't this the company Apple only purchased just recently and has informed all it's customers that they need to start looking for business elsewhere, because it's going to be shut down?

Yeah, but there's other ways of getting a domain password when you have physical access (eg attack on password cache or just install a rootkit/keylogger if the machine will be used again). Yes this can be done without any further interaction (eg lost laptop), but you've already broken the fundamental rules of computer security here.

Depending on what was on said computer, your domain password may be the least of your concerns anyway.

It's odd. Whenever we write about Motorola, and put "Google" in the subheadline and first sentence but not in the headline, there are a series of complaints that we're trying to protect Google. I wonder: if we relegated Apple to the subheadline and first sentence, would we get called out for not emphasizing Apple's role more? Would the same people who complain we are too pro-Apple say we're protecting Apple from criticism? Alternatively, if we put Google in the headline on Motorola stories, would we be accused of being anti-Google instead of the current situation in which we're accused of trying to protect Google?

Whether it's in the headline, subheadline, or first sentence, the fact that a company is owned by either Apple or Google is noteworthy. Sometimes, it just makes more sense to put it in the headline—such as a case like this in which a company is less well known than something like Motorola.

It's odd. Whenever we write about Motorola, and put "Google" in the subheadline and first sentence but not in the headline, there are a series of complaints that we're trying to protect Google. I wonder: if we relegated Apple to the subheadline and first sentence, would we get called out for not emphasizing Apple's role more? Would the same people who complain we are too pro-Apple say we're protecting Apple from criticism? Alternatively, if we put Google in the headline on Motorola stories, would we be accused of being anti-Google instead of the current situation in which we're accused of trying to protect Google?

Whether it's in the headline, subheadline, or first sentence, the fact that a company is owned by either Apple or Google is noteworthy. Sometimes, it just makes more sense to put it in the headline—such as a case like this in which a company is less well known than something like Motorola.

Surely, we can find more important things to complain about.

Every case is different, I think people just feel the Apple connection in this case is extremely loose and thus didn't really belong in the headline (as someone said, it feels "shoehorned in"). The fact that Apple owns the company has little bearing on the content. I'm not even sure Apple officially owns Authentec yet, aren't they still closing the deal?

Fingerprint recognition is a joke. Using as a secret for verifying your identity something that is not a secret and that can be found all around your stuff (including the thing you have to authenticate to) is ridiculous. And no, no popular fingersprint scanner does "live" detection, all they do is to scan a vague temperatura pattern that can be faked almost as easily as the print itself. And most don't even do that. I'm yet to find a consumer-oriented (or even Enterprise-oriented) fingerprint scanner I couldn't get my way in in less tan an hour. So even without this vulnerability (which is lame) if you have a fingerprint scanner in your computer don't use it. Alternatively, leave it unlocked and without a password, whcih is about the same as using the fingerprint scanner.

It's odd. Whenever we write about Motorola, and put "Google" in the subheadline and first sentence but not in the headline, there are a series of complaints that we're trying to protect Google. I wonder: if we relegated Apple to the subheadline and first sentence, would we get called out for not emphasizing Apple's role more? Would the same people who complain we are too pro-Apple say we're protecting Apple from criticism? Alternatively, if we put Google in the headline on Motorola stories, would we be accused of being anti-Google instead of the current situation in which we're accused of trying to protect Google?

Whether it's in the headline, subheadline, or first sentence, the fact that a company is owned by either Apple or Google is noteworthy. Sometimes, it just makes more sense to put it in the headline—such as a case like this in which a company is less well known than something like Motorola.

Surely, we can find more important things to complain about.

No, we are on arstechnica to read about tech news, and we have an expectation that you guys aren't just trolling for traffic but actually making a half-assed or perhaps even professional attempt at providing us with engaging content.

So the criticism is warranted and your hand-waving it away isn't helping your credibility. The article title is sensationalist drivel which directly implies that Apple is behind the flaw which affects Windows computers. Don't pretend you think it means otherwise. It is news that Apple bought them, but has no relevance to the article itself other than a footnote. You can ignore the criticism but that is foolish. Suck it up and change the title.

Usually physical access will not allow someone to find out what the login password is, which is an important distinction since that login password might also be used elsewhere to access things you do not have physical access to.

Also... isn't this the company Apple only purchased just recently and has informed all it's customers that they need to start looking for business elsewhere, because it's going to be shut down?

Yeah, but there's other ways of getting a domain password when you have physical access (eg attack on password cache or just install a rootkit/keylogger if the machine will be used again). Yes this can be done without any further interaction (eg lost laptop), but you've already broken the fundamental rules of computer security here.

Depending on what was on said computer, your domain password may be the least of your concerns anyway.

I disagree with this. In windows, domain passwords are NOT stored either encrypted or obfuscated (much less in the clear) in the computer. There's no password storage. Only the hash is stored. And the hash stored in the computer cannot be used to authenticate the user against other servers, it can only be used to validate that the user has the password.True, if you have the hash, you can do a lookup table to see if the hash is in a "rainbow table" of "easy" passwords, but then it is up to the password strenght. If you have a weak password then you are dust.So it is not true that having physical access means that you can obtain the domain passwords of users of the machines, unless they have weak passwords to begin with.What is true is that if you have the machine (and the machine doesn't have an encrypted drive) you can then inject code in the machine that could, if the machine is later used by an authorized user, disclose the passwords (or worse). But that's different from this vulnerability. In this case, physical possession of the machine means that the users passwords can be obtained in full without regard for the password strenght.

The "owned by Apple" is a nice touch of link bait. Bet Ars gets 10x the hits for using the headline to imply some kind of conspiracy or negligence on Apple's part.

What do you want them to do, pretend Apple doesn't own the company or bury that information just to protect your sensibilities? Apple owns the company, end of story. And if any other major computer firm had owned it, I'm sure that would have been mentioned in the headline, too, because it happens to be the most salient fact about the chain of corporate command, which is something everybody wants to know when there is a major exploit.

I ignored the title debate to begin with, but if you're going to play the 'damned if we do...' card I'll take the bait.

jbrodkin wrote:

It's odd. Whenever we write about Motorola, and put "Google" in the subheadline and first sentence but not in the headline, there are a series of complaints that we're trying to protect Google.

Any such story revolves around the smartphone patent wars. Google spent $12B for Motorola specifically to get control of its patent portfolio for use in those wars. Talking about Motorola's patent-related actions as if they're some sort of arms length activities from the mothership is ridiculous; if Motorola files or withdraws a suit, you can bet Google corporate had the final say in the decision. Probably the only say, when it comes to it.

Quote:

I wonder: if we relegated Apple to the subheadline and first sentence, would we get called out for not emphasizing Apple's role more? Would the same people who complain we are too pro-Apple say we're protecting Apple from criticism?

Sure, but only from idiots. Apple isn't buying this company to sell Windows software, they're buying it to strip the IP. The Windows programmers are probably already looking for new work and the ink isn't even dry on the deal yet. I think the criticism of your reporting here is that you make it sound like Apple is ignoring security problems in a supported product. This thing is more dead than Final Cut Pro, any claim that, "it's surprising there has been no recall or an advisory warning of the vulnerability" sounds a little overwrought.

Quote:

Alternatively, if we put Google in the headline on Motorola stories, would we be accused of being anti-Google instead of the current situation in which we're accused of trying to protect Google?

Again, Motorola was bought by Google for its patent portfolio, so any post-purchase patent actions by Motorola are clearly what Google paid for. The Motorola brand is merely a fig leaf at this point.

Quote:

Whether it's in the headline, subheadline, or first sentence, the fact that a company is owned by either Apple or Google is noteworthy. Sometimes, it just makes more sense to put it in the headline—such as a case like this in which a company is less well known than something like Motorola.

Notoriety makes some sense, if you're writing about technical subject mater to a lay audience. Which you're not.

Quote:

Surely, we can find more important things to complain about.

I'd stick with this line, rather than coming out with defensive comments that imply it's difficult to get the easy stuff right.

Uh, the merger closed on 4 October (something that should probably be mentioned in the article--it's more pertinent than the announcement of the intention to merge, which then had to be approved by shareholders). In light of that, I think in this case very little of the blame should be laid on Apple.

Once you have physical control over a computer, any security short of encryption is just a locked screen door. Windows password recovery has been and still is an easy task with the appropriate utility.

I come to Ars to get away from that crap, so seeing something like this here is deeply disappointing.

"Deeply disappointing"? Really?

I'm interested in technology, but can't stand most tech news sites and the empty snark, fanboi wars, soft-headed "analysis", and transparent linkbaiting they engage in. Ars is usually much better than that, so yeah - I'll stand by "deeply disappointing." (Especially after the hand-waving justifications from the editors.)

You'd need a modification to domain authentication for anything like this idea to work. Something derived directly from the fingerprint should be sent directly to the server, which itself should determine if the fingerprint is correct. No key should be stored on the client, otherwise it's trivial to compromise it no matter how much encryption (really obfuscation) you do.

I think the better question is it possible to do something like this securely without ripping parts of Windows out and replacing them? Given the way that this was implemented, I wouldn't be surprised if there isn't the appropriate framework to implement this correctly...

Strange how there are 25 or so posts pre-empting the trolls, yet..no trolls? I guess you all chalk that up to your intelligent strategy of heading them off? lol. Oh yea, and we get the omnipresent 'windows is inferior' troll in an article that has nothing to do with a windows technology. backasswards or what..

All they have to do now is issue a security memo with instructions for uninstalling the software and removing the registry key. Your Lenovo/Sony/Samsung laptop no longer has a working fingerprint reader. Problem solved.

Yeah, more likely they were only interested in the patents, and maybe also the engineering talent (doesn't sound like it though, after learning about this exploit).

Apparently Authentec's existing customers (dell, hp, etc) are freaking out a bit, because Apple is probably going to shutdown Authentec, they need to find a competitor. Trouble is, Authentec has important patents so there isn't really any viable competition unless they can convince Apple to license the patents.

Microsoft has their own SDK that adds native support for these devices into Windows and actually does it the correct way. Besides these companies have not used Authentec's software itself for since Windows Vista was released. The only reason this software existed is because Windows XP didn't support these devices and this authentication method using a native secure way.

On a seperate note why is Apple even being mentioned? This security flaw is not new, the exploit is not new, the real story is the exploit still has not been fixed.

[qutoe] This thing is more dead than Final Cut Pro, any claim that, "it's surprising there has been no recall or an advisory warning of the vulnerability" sounds a little overwrought.[/quote]Bullshit. The program hasn't even hit End of Sale, much less End of Life. It is still supported quite well. On top of that, as long as it's before the End Of Life date, advisories are expected. Doesn't matter who owns the software.

Quote:

Notoriety makes some sense, if you're writing about technical subject mater to a lay audience. Which you're not.

If you think Ars is writing to you or me or the other nerds, you've got too high an opinion of yourself. Ars Technica has a bigger audience than in 1999, and is definitely writing for the lay person.

Quote:

All of this tecnology is now obsolete.

That's why they released a new version of their software on September 18, 2012, right?

Ok on a completely other note: I'm really excited to see how Apple will use this patent. Unlocking my phone by simply touching it? Sounds amazing. I always thought that this face recognition unlocking from Android was amazing...but obviously not enough to warrant a switch...